b'      NATIONAL CREDIT UNION ADMINISTRATION\n\n               OFFICE OF INSPECTOR GENERAL\n\n\n                        Review of NCUA\xe2\x80\x99s\n                     Official Personnel Folders\n\n\n            Report #OIG-07-10            October 1, 2007\n\n\n\n\n                          William A. DeSarno\n                          Inspector General\n\nReleased By:                                   Auditor-in-Charge:\n\n\n\nJames W. Hagen                                 Dwight Engelrup\nAssistant Inspector General for Audits         Senior Auditor\n\x0c                     TABLE OF CONTENTS\n                                         Page\n\nEXECUTIVE SUMMARY                         1\n\nBACKGROUND                                3\n\nPURPOSE AND OBJECTIVES                    4\n\nSCOPE AND METHODOLOGY                     4\n\nRESULTS                                   5\n\nAPPENDIX A \xe2\x80\x93 MANAGEMENT COMMENTS          10\n\n\n\n\n                             i\n\x0c                               EXECUTIVE SUMMARY\n\n\nOfficial Personnel Folders (OPFs) contain records that document an individual employee\xe2\x80\x99s\nFederal government employment history. The OPF follows an employee throughout his or her\nFederal career. The OPFs maintained in many federal agencies, including the National Credit\nUnion Administration (NCUA), are hardcopy (paper) versions. In recent years, Congressional\nhearings have looked at OPF maintenance and the feasibility of agencies\xe2\x80\x99 converting from the\ncurrent paper OPF system to an electronic system. Some federal agencies have already\nconverted and many others are in the process of doing so. Agencies converting from paper to\nelectronic OPFs can reduce paperwork, storage space, and staff hours to maintain the files. In\naddition, electronic OPFs may improve the accuracy of files, and provide better access to\nemployees requesting to review their own records.\n\nDue to the importance of OPFs, the current Federal emphasis on protecting Personally\nIdentifiable Information (PII), and the attention to this issue by the Office of Management and\nBudget (OMB), as part of the President\xe2\x80\x99s Management Agenda, the Office of Inspector General\n(OIG) added this survey review to its 2007 Annual Performance Plan. Our objectives were to\ndetermine whether NCUA is accurately maintaining and storing OPFs, and to evaluate the\nagency\xe2\x80\x99s ability to migrate to an electronic OPF system. Our primary office of review was the\nNCUA Office of Human Resources (OHR).\n\nWe Reviewed OPM Requirements and Guidance as well as NCUA OHR Internal Controls\n\nWe concluded that the NCUA OHR is aware of OPM\xe2\x80\x99s regulatory requirements and guidance\nfor compiling and maintaining OPFs. However, OHR reported that, with the exception of its\nPhysical Security Plan (security plan) which addresses disaster recovery planning, it has no\nwritten internal control procedures, such as document checklists or management monitoring\nreports, to ensure that OHR staff members are fully complying with OPM requirements. We\ndetermined that OHR can, by developing its own internal control procedures, ensure that it is\nbetter adhering to OPM requirements and guidance and, consequently, ensure the accuracy and\ncompleteness of the OPFs it maintains.\n\nWe Reviewed NCUA\xe2\x80\x99s Maintenance of OPFs and Performed a Sample Review of 30 OPFs\n\nWe concluded that OHR could improve its maintenance of OPFs. Specifically, we observed that\nOHR needs to develop formal internal control procedures to ensure that OHR staff is\nmaintaining OPF documentation in a complete and accurate manner. This is especially\nimportant as OHR considers transitioning in the future to an electronic OPF system. During our\nsample review, we observed that the documentation maintained in OPFs for the past five years\nwas generally complete. However, in this same sample, we found that for the complete time\nframe of the OPF, over 50% of the OPFs were either incomplete or contained errors.\nConsequently, our report contains three recommendations for operational improvement.\n\n\n\n\n                                             1\n\x0cWe Reviewed NCUA Plans and Ability to Transition to Electronic OPF; eOPF; and Image Now\nWe concluded that NCUA does not now have electronic Official Personnel Folders (OPF) or the\ncurrent ability to transition to an electronic OPF sanctioned by the Office of Personnel\nManagement (OPM). We observed the OHR is interested in converting to electronic OPFs, and\nhas taken steps to obtain information preparatory to selection of the eOPF system approved by\nand supported by OPM.\n\nWe also determined that NCUA dose not have a completed electronic image of OPFs for the\npurpose of disaster recovery. Our report contains one recommendation for operational\nimprovement in this area.\n\n\n\n\n                                            2\n\x0c                                      BACKGROUND\n\n\nThe Official Personnel Folder (OPF) is a file containing records that cover an individual\xe2\x80\x99s\nemployment history. Federal agencies, including NCUA, maintain OPFs for federal employees\nin accordance with Title 5, Code of Federal Regulations, Part 293 as well as OPM\xe2\x80\x99s Guide to\nFederal Recordkeeping (Guide). The long-term records included in an OPF protect the legal and\nfinancial rights of the Government and the employee. OPFs are part of OPM\xe2\x80\x99s system of records\nunder the Privacy Act of 1974, as amended (5 U.S.C. 552a) and OPM, therefore, owns the\npersonnel folder and its contents, even though individual agencies maintain the files for their\nrespective employees. Part 293, the Privacy Act, and OPM\xe2\x80\x99s Guide all contain rules for\ncreating, maintaining, using, providing access to, and disposing of the OPF. According to the\nGuide, certain documents should be filed in an OPF on a permanent basis, some on a temporary\nbasis, and some documents should never be filed in an OPF.\n\nOPM regulations do not require agencies to maintain electronic OPFs. NCUA currently\nmaintains OPFs in hardcopy (paper) form, although it has commenced electronic scanning of\npersonnel action documents with the ImageNow system in the past few years. For the agency to\ntransition to a comprehensive electronic OPF system, NCUA must receive prior approval from\nOPM of the system it intends to use. OHR is currently evaluating an OPM-approved electronic\nversion, entitled eOPF, offered by OPM.\n\nIn addition to the guidance provided by OPM primarily in The Guide to Personnel\nRecordkeeping, the NCUA Office of Human Resources has implemented a Physical Security\nPlan that is reviewed and updated annually. The security plan names a security officer; and\naddresses standard operations procedures for the office, and OPF file security. Other guidance is\naddressed in the agenda and flow-chart for staff training for the Image Now system maintained\nby the Office of the Chief Information Officer (OCIO). The Image Now system is used by OHR\nto scan personnel action documents permanently maintained in the OPF. These scanned\ndocuments are stored as part of NCUA\xe2\x80\x99s disaster recovery backup of the hard copy OPFs.\n\n\n\n\n                                              3\n\x0c                             PURPOSE AND OBJECTIVES\n\n\nThe OIG performed this OPF review because of the importance of the following: (1) the privacy\ninterests inherent in OPFs; (2) the significance of the service performed by OHR in maintaining\nthe OPFs and making them available for viewing by NCUA employees; and (3) OHR\xe2\x80\x99s\nconsideration to migrate to a comprehensive electronic OPF system.\n\nOur survey objective was to determine how NCUA is maintaining and storing accurate Official\nPersonnel Files and their ability to migrate to an electronic system. The primary office for the\nreview was OHR.\n\n\n                            SCOPE AND METHODOLOGY\n\n\nWe conducted our review of OPFs in June and July 2007. We looked at the requirements for\nmaintaining OPFs and OHR\xe2\x80\x99s compliance with those requirements. In this regard, we performed\na sampling of individual OPFs and evaluated what we found there. We also looked at the\nagency\xe2\x80\x99s plans for and current progress toward migrating to an electronic OPF system.\n\nTo meet our survey objectives we:\n\n       1. Identified and performed a limited review of OPM and other legal requirements\n          affecting OPFs;\n\n       2. Identified and reviewed OPM and OHR guidance for maintaining OPFs;\n\n       3. Interviewed NCUA OHR and OCIO staff members; and\n\n       4. Identified and selected for review a random sample of 30 of NCUA\xe2\x80\x99s 949 OPFs for\n          completeness and accuracy of information.\n\nThis survey work was performed preparatory to performing an audit in this area.\n\nThis survey was performed in accordance with Generally Accepted Government Auditing\nStandards.\n\n\n\n\n                                              4\n\x0c                                         RESULTS\n\n\n                        OPF Requirements and NCUA Internal Controls\n\nWe concluded that while the NCUA OHR is aware of OPM\xe2\x80\x99s requirements and guidelines for\npreparing and maintaining OPFs, it needs to improve its adherence to those requirements. In\nparticular, we found that OHR should ensure that OPF document development, maintenance,\nsafeguarding, and access principles comply with OPM regulations, the Guide, and Privacy Act\nregulations.\n\nMoreover, we found that OHR needs to develop its own internal control procedures for OPFs\nthat conform to the OPM regulations and the Guide. As reported above, we found that OHR does\nnot have its own internal OPF control procedures, such as document checklists or management\nmonitoring reports. Rather, OHR management informed us that \xe2\x80\x9cRequests for Personnel\nActions\xe2\x80\x9d (SF 52) are reviewed at the time of the action, along with an informal review of the\nOPF. OHR supervisors informed us that they plan to formalize a more comprehensive OPF\nreview procedure.\n\nWith regard to the issue of employee access to his or her OPF, we found that OHR\xe2\x80\x99s practice is\nto: (1) permit the employee to view the original OPF at the OHR offices in the Central Office; or\n(2) photocopy and send the reproduced OPF to the employee by Federal Express service. We\nconcluded that OHR should ensure that when it develops its internal control procedures, they\nshould address compliance with OPM and Privacy Act requirements governing employee access\nand privacy\n\n                                  OHR Maintenance of OPFs\n\nWe randomly selected for review 30 OPFs from the current directory listing of 949 NCUA\nemployees. The purpose of our sample review was to determine whether the OPFs were\ncomplete and accurate with reference to items identified by OPM on their OPF Review checklist.\nWe modified our sample checklist from the OPM-supplied checklist to emphasize the following\npermanent documents: (1) Notification of Personnel Action forms (SF 50); (2) health insurance,\nlife insurance, and Thrift Savings Plan election forms; and (3) certain other documents. During\nour sample review, we also looked the status of documents filed in the OPF (permanent versus\ntemporary), and whether the OPF contained prohibited documentation that should not have been\nfiled in the OPF. We observed that in general, the documentation filed within the most recent\nfive year period appeared to be complete.\n\nHowever, when we looked at documents filed in the sample OPFs for the complete time frame of\nthe OPFs reviewed, we observed that over 50 percent were either incomplete and/or had errors.\nIncompletions and inaccuracies included missing Standard Form (SF) 50\xe2\x80\x99s; SF 50\xe2\x80\x99s that were\nnot signed by an appropriate official; documents misfiled or out of chronological order; and\nOPFs that contained prohibited documents. Specifically, we observed the following: (1) thirty\nseven percent of the folders contained documents that showed corrections (such as crossed out\n\n                                              5\n\x0cinformation) or that needed corrections; (2) thirty percent of the folders appeared to be lacking at\nleast one SF 50, primarily for pay adjustment actions; (3) twenty seven percent of the folders\ncontained SF 50s not signed by the approving official; (4) twenty three percent of the folders\ncontained documents not properly filed in the folder; and (5) seventeen percent of the folders\ncontained documents not filed in chronological order.\n\nBased upon our sample review and discussions with OHR staff, we made three\nrecommendations.\n\nRecommendation 1\nOHR should develop formal OPF internal control procedures. The procedures should address\nthe OHR\xe2\x80\x99s compliance with OPM\xe2\x80\x99s requirements and guidance for accuracy and completeness\nof the OPFs.\n\nManagement Response\nOHR\xe2\x80\x99s Division of Staffing, Classification and Pay is drafting various standard operating\nprocedures (SOPs) relating to the maintenance (i.e., accuracy and completeness) of OPFs. In\nOHR\xe2\x80\x99s 2008 budget submission, it has requested $100,000 for OPF review and clean-up, and\nevaluation of processing methods.\n\nOIG Response\nWe agree with the planned corrective action.\n\nRecommendation 2\nThe internal control procedures should require development of management reports and\nchecklists as needed to monitor OPF activity in the department and to ensure consistency and\ntimeliness in the procedures\xe2\x80\x99 application.\n\nManagement Response\nOHR will develop checklists, in accordance with the guidance outlined in the \xe2\x80\x9cGuide to\nPersonnel Recordkeeping,\xe2\x80\x9d which will address managerial oversight and control of the OPF\nmaintenance SOPs referenced above.\n\nOIG Response\nWe agree with the planned corrective action.\n\nRecommendation 3\nOHR should review all NCUA OPFs and make appropriate corrections to ensure that all\ndocumentation in every OPF is currently accurate, up-to-date, and ready for migration to an\nelectronic OPF system.\n\nManagement Response\nOHR plans to perform OPF clean up in compliance with the \xe2\x80\x9cGuide to Personnel\nRecordkeeping\xe2\x80\x9d as well as for the migration to the electronic OPF format in the next few years.\nOIG Response\nWe agree with the planned corrective action.\n\n                                               6\n\x0c              NCUA Ability to Transition to Electronic Official Personnel Folders\n\nBased upon our review of OPM requirements and discussions with OHR and OCIO staff, we\nconcluded that NCUA has not yet migrated to an electronic OPF system; nor is it currently able\nto transition to an electronic system that would meet with OPM\xe2\x80\x99s approval. We found that in its\ntentative exploration of electronic OPF systems, OHR has expressed particular interest in the\ne-OPF system approved and offered by OPM through an OPM contractor.\n\nAs stated previously in this report, OPM does not presently require that agencies maintain, store,\nand provide access to OPFs electronically. NCUA currently maintains OPFs in paper form.\nHowever, consonant with the Federal Government\xe2\x80\x99s e-Gov initiatives which advocate a\npaperless environment, OPM has accepted leadership for five initiatives that fall within the\nhuman resources line of business. Under the Enterprise Human Resources Integration (EHRI)\ninitiative, a primary goal is for all agencies to transition from paper to electronic OPFs. The\nFederal Government believes the elimination of paper OPFs will benefit agencies by achieving\nsignificant cost savings due to the reduction/elimination of paper (filing, printing, copying, and\nmailing), while simultaneously improving accuracy of and accessibility to the folders. This, in\nturn, would improve the efficiency of agency human resources departments.\n\nAgencies that want to create and maintain electronic versions of the OPF must seek approval\nfrom the sponsoring agency. OPM is the sponsoring agency for most of the forms in the OPF.\nAs the sponsoring agency, OPM has established procedures for approving electronic OPF\nsystems.\n\nThe eOPF System\n\nThe eOPF is an electronic version of hard copy OPFs approved by OPM. The OPM eOPF\nsystem houses Federal employees\xe2\x80\x99 digitized paper OPFs. In FY 2006, eleven agencies moved to\nan eOPF module. OPM has developed performance metrics to increase the number of personnel\nrecords converted and to increase the number of agencies using eOPF. The metrics are\ncontingent on the agencies\xe2\x80\x99 ability to provide funding for their conversions.\n\nIn January 2007, OHR began to give serious consideration to e-OPF system. Recently, OHR\nrecommended that NCUA should convert to the eOPF system because it is currently the only\nOPM-certified system. In addition, NCUA uses the same personnel information collection\nsystem as OPM. In reviewing OPM\xe2\x80\x99s Strategic and Operational Plan for 2006-2010, OHR\nidentified OPM\xe2\x80\x99s goal that, by October 1, 2010, 90 percent of all paper OPFs would be\nconverted to an electronic format. OHR hosted an initial OPM presentation of the eOPF system\nin May, 2007, and a follow-up presentation in July, 2007. At the July presentation, attendees\nincluded representatives from OHR, the Office of the Executive Director (OED), OCIO, and\nOIG. At that presentation, OPM indicated that 28 agencies or component offices/bureaus of\nagencies already have or are in the process of transitioning to the eOPF system.\n\nImageNow\n\n                                              7\n\x0cIn February 2003, the OHR determined NCUA should have a process in place to image copy\ncertain critical OPF documents to maintain a backup to the OPF in the event of a disaster at\nNCUA headquarters. The OHR focus in using the imaging was to meet disaster recovery needs.\nThe OCIO researched options for an image-based document management system. A contract\nwas awarded for the ImageNow software system in October 2003. Training on the system was\nperformed in December 2003. System implementation began in January 2004. Initial scanning\nof documents filed on the right hand side of the OPF (permanent records) was completed for all\nOPFs in May 2004.\n\nSince May 2004, when OHR first completed electronic imaging of permanent records in the\nOPFs with the ImageNow system, consistency in scanning documents has fallen off, and\nelectronic versions of some documents\xe2\x80\x94essential for disaster recovery purposes--have not been\nmaintained or are otherwise missing documents. OHR informed us that they are currently\nscanning documents again, but it still needs to go back and determine the earlier work that was\nnot scanned. Because OHR does not maintain logs or have a formal process in place to\ndetermine scanning progress and/or completion, we were unable to determine the extent of\nmissing documents. OHR explained that imaging is not up-to-date because the system was down\nfrom January 2005 through April 2005, and those documents that should have been imaged\nduring that time period were not.\n\nOCIO provides trouble-shooting and servicing to OHR for the ImageNow system. Moreover,\nNCUA recently approved Share Point as an intranet application with an ImageNow plug for\nimplementation in 2007. Other departments and OHR will be able to use the Share Point /\nImageNow applications at no cost to them. OCIO indicated it would be possible for OHR to\ntransition from ImageNow to Share Point and ultimately, to transition to an electronic OPF\nsystem.\n\nOPM has not certified ImageNow for use as an electronic OPF system. As explained above,\nNCUA used the ImageNow system to scan permanent records filed in the OPFs (SF 50\xe2\x80\x99s) as part\nof the agency\xe2\x80\x99s disaster recovery plan. While the imaged documents are stored electronically on\nthe NCUA computer system, they do not constitute an electronic OPF system.\n\nRecommendation 4\nIf NCUA plans to continue to use OPF documents scanned into the ImageNow system for\ndisaster recovery purposes, then the OHR should determine what required documents have not\nbeen scanned and correct any backlog as soon as possible.\n\nManagement Response\nImageNow was experiencing problems from April 2005 through December 2006 and again April\n2007 to June 2007. Based on those dates OHR can determine what documents in the OPF that\nstill needs to be scanned and will ensure that these documents are scanned. However, those\nmissing imaged documents would not prevent OHR from reconstructing an OPF. OHR does not\nsolely depend on ImageNow as a source of OPF reconstruction. According to the \xe2\x80\x9cGuide to\nPersonnel Recordkeeping\xe2\x80\x9d a transcript of service, which is a summary of all personnel actions\n\n\n                                             8\n\x0cprocessed, serves as the official documentation for OPF reconstruction. OPM maintains these\ntranscripts and provides them to agencies upon request.\n\nOIG Response\nWe agree with the proposed action to ensure all documents are scanned. We did not question in\nthe report that OPM is the source for reconstruction of OPFs. However, NCUA is utilizing\nImageNow for OPFs for its use in disaster recovery. If the images are not up to date then NCUA\ndoes not have an adequate system for its COOP. We agree that the action taken to scan the\nremaining documents will provide the agency with OPF back up for disaster recovery purposes.\n\n\n\n\n                                            9\n\x0cAPPENDIX A \xe2\x80\x93 MANAGEMENT COMMENTS\n\n\nTO:           William DeSarno, Inspector General\n              Office of the Inspector General\n\nFROM:         J. Leonard Skiles, Executive Director /S/\n\nSUBJ:         Comment on Draft Report of NCUA\xe2\x80\x99s Official Personnel Folders\n\nDATE:         September 21, 2007\n\nThis is in response to the draft report entitled \xe2\x80\x9cReview of NCUA\xe2\x80\x99s Official Personnel\nFolders\xe2\x80\x9d conducted by your staff in August. The report included recommendations\nbased on a sample review of 30 official personnel folders (OPFs). The Office of Human\nResources (OHR) maintains 946 OPFs. The following comments are in response to the\nrecommendations in that report.\n\n        Recommendation #1 \xe2\x80\x93 OHR should develop formal OPF control procedures.\n        The procedures should address the OHR\xe2\x80\x99s compliance with OPM\xe2\x80\x99s requirements\n        and guidance for accuracy and completeness of the Off\xe2\x80\x99s.\n\n        OHR\xe2\x80\x99s Division of Staffing, Classification and Pay is drafting various standard\n        operating procedures (SOPs) relating to the maintenance (i.e., accuracy and\n        completeness) of OPFs. In OHR\xe2\x80\x99s 2008 budget submission, it has requested\n        $100,000 for OPF review and clean-up, and evaluation of processing methods.\n\n        Recommendation #2 \xe2\x80\x93 The internal control procedures should require\n        development of management reports and checklists as needed to monitor OPF\n        activity in the department and to ensure consistent and timeliness in the\n        procedures\xe2\x80\x99 application.\n\n        OHR will develop checklists, in accordance with the guidance outlined in the\n        \xe2\x80\x9cGuide to Personnel Recordkeeping,\xe2\x80\x9d which will address managerial oversight\n        and control of the OPF maintenance SOPs referenced above.\n\n        Recommendation #3 \xe2\x80\x93 OHR should review all NCUA OPFs and make\n        appropriate corrections to ensure that all documentation in every OPF is currently\n        accurate, up-to-date, and ready for migration to an electronic OPF system.\n\n        OHR plans to perform OPF clean up in compliance with the \xe2\x80\x9cGuide to Personnel\n        Recordkeeping\xe2\x80\x9d as well as for the migration to the electronic OPF format in the\n        next few years.\n\n\n\n\n                                          10\n\x0c       Recommendation #4 \xe2\x80\x93 If NCUA plans to continue to use OPF documents\n       scanned into the ImageNow system for disaster recovery purposes, then the\n       OHR should determine what required documents have not been scanned and\n       correct any backlog as soon as possible.\n\n       ImageNow was experiencing problems from April 2005 through December 2006\n       and again April 2007 to June 2007. Based on those dates OHR can determine\n       what documents in the OPF that still needs to be scanned and will ensure that\n       these documents are scanned. However, those missing imaged documents\n       would not prevent OHR from reconstructing an OPF. OHR does not solely\n       depend on ImageNow as a source of OPF reconstruction. According to the\n       \xe2\x80\x9cGuide to Personnel Recordkeeping\xe2\x80\x9d a transcript of service, which is a summary\n       of all personnel actions processed, serves as the official documentation for OPF\n       reconstruction. OPM maintains these transcripts and provides them to agencies\n       upon request.\n\nOHR staff also reviewed the survey sample. Based on that review OHR found13, of the\n30 OPFs reviewed, not in compliance with the Guide to Personnel Recordkeeping\xe2\x80\x9d and\nthe \xe2\x80\x9cGuide to Processing Personnel Actions.\xe2\x80\x9d Within the 13 OPFs the following\ndiscrepancies were found:\n\n   \xe2\x80\xa2   1 SF-50 missing\n   \xe2\x80\xa2   8 Prohibited documentation in 2 OPFs\n   \xe2\x80\xa2   11 Misfiled documents in 8 OPFs\n   \xe2\x80\xa2   9 Documents not in chronological order in 3 OPFs\n   \xe2\x80\xa2   3 Unexplained erasures in 3 OPFs\n   \xe2\x80\xa2   All personnel actions requiring a signature were signed (Pay adjustments do not\n       require a signature)\n\nAttached is a spreadsheet of those findings based on OHR\xe2\x80\x99s review of the OPFs in the\nsurvey. Thank you for the opportunity to comment on your report.\n\nNote: The OIG did not include the spreadsheet in the appendix because it contains\npersonally identifiable information. However, NCUA summarizes the results of the\nspreadsheet in the bullets above.\n\n\n\n\n                                         11\n\x0c'